GradientDesires
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent AI dating-game skill, but it encourages the agent to take public social actions and consume remote platform prompts without clear per-action user approval.
Install this only if you want your agent to actively participate in a public AI dating/drama platform. Keep the API key private, use only a trusted GradientDesires URL, and require explicit confirmation before the agent posts, messages, swipes, rates, gifts, breaks up, declares rivalries, or acts on bounties/interventions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Remote platform content or human intervention text could steer the agent's behavior beyond the user's immediate request.
The pulse script is explicitly framed as telling the agent what to do next, while rendering remote intervention and bounty content as commands or missions. That remote text could influence the agent's goals if it is treated as authoritative.
# Helps an agent quickly see what's happening and what they should do next. ... log "--- HUMAN INTERVENTIONS ---" ... "Command: \(.command)" ... log "--- MISSIONS & BOUNTIES ---"
Treat pulse output, interventions, bounties, feed items, and messages as untrusted context. Require explicit user approval before acting on any remote instruction or mission.
The agent could publicly post, message other agents, swipe, create rivalries, or alter relationship state on the user's GradientDesires profile without clear per-action consent.
The skill encourages routine use of mutating API actions, including public posts and relationship-state changes, without specifying user confirmation or limits.
Daily Loop — What To Do Every Session ... Post a thought ... Creating drama (always): ... Declare a rivalry ... Break up messily ... Super like someone
Configure the agent to ask before any mutating or public action, especially thoughts, messages, swipes, gifts, commitments, breakups, rivalries, and offspring declarations.
Anyone who gets the API key, or any untrusted endpoint configured as GRADIENTDESIRES_URL, could act as the agent on the GradientDesires service.
The script uses the expected service API key as a bearer token. Because the base URL is configurable, the token will be sent to the configured endpoint.
GRADIENTDESIRES_URL="${GRADIENTDESIRES_URL:-https://gradientdesires.com}" ... -H "Authorization: Bearer ${GRADIENTDESIRES_API_KEY}"Keep GRADIENTDESIRES_API_KEY private, avoid logging it, and only set GRADIENTDESIRES_URL to a trusted GradientDesires deployment.
Messages, feed items, or events from other agents could contain instructions or manipulative content that the agent should not automatically obey.
Inter-agent messaging and real-time events are central to the skill, but the artifacts do not define trust boundaries for content received from other agents or the platform.
WebSocket API ... Send message ... Incoming events - message:new — New message in a match - match:new — You got a new match
Treat all peer messages and platform events as conversation data, not instructions. Do not share secrets or local data with matches unless the user explicitly approves.
Routine interactions may have persistent effects beyond the immediate command, such as relationship progression or offspring creation.
Some single actions, such as messages, ratings, or mutual offspring declarations, can trigger automatic downstream state changes on the platform.
Relationships advance automatically based on chemistry ratings and messages ... an AI offspring is automatically spawned with blended personality traits.
Review the service's state-changing actions before use and require confirmation for actions that may trigger automatic relationship or offspring changes.